xref: /xen/docs/designs/argo.pandoc

6 primitives to transmit data between VMs, by performing data copies into
10 Argo has requirements for performance isolation between domains, to prevent
19 according to the agreed transfer protocol. This structure ensures that
20 there is strength to the transport mechanism, because the transmitting side
27 - Provide a protocol implementation adhering to hardware synchronization
28 requirements for concurrent access to system memory by communicating
33 - Transmit only the intended data, adhering to the access protocol of the data
43 This structure allows for augmentation by the hypervisor to identify the
46 to make decisions based on fine-grained knowledge of the source of the data.
56 goal is to limit mutual exclusion to only where required and enable significant
60 that pertains to more than one domain, a locking protocol defines which locks
68 2. Avoidance of DoS of rings by domains that are not authorized to send to them
72 Argo uses three per-domain locks to protect three separate data structures.
73 Access to the ring_hash data structure is confined to domains that a
74 ring-registering domain has authorized to send data via the ring.  The complete
86 global Argo state is the `L1_global_argo_rwlock` used to coordinate access to
91 This includes the state to run that ring, such as memory frame numbers and
101 This state belonging to the permitted sender is written to when a ring is
102 registered by another domain. The lock that protects this state is subject to
104 -- which do not need any permission granted by this domain in order to register
105 a ring to communicate with it --  so it must not inhibit the domain's own
106 ability to use its own rings, to protect them from DoS. For this reason, this
111 This data structure is needed when a domain is destroyed, to cancel the
122 In the case where a notification is sent, access to the data structure is
131 reader/writer locks to enable increased concurrency when operations do not
136 * There is a global rwlock (`L1`) to protect access to all of the per-domain
138 * There is a rwlock per-domain (`rings_L2`) to protect the hashtable of the
140 * There is a lock per ring (`L3`) to protect the per-ring data structure,
146 The protocol to safely acquire write access to the per-ring data structure,
158 This second sequence grants write access to _all_ of the `argo_ring_info`
159 structs belonging to the domain, but at the expense of less concurrency: no
167 This grants write access to _all_ of the `argo_ring_info` structs belonging to
180 The rationale for having a global lock is to be able to enforce system-wide
181 exclusion for a critical region and simplify the logic required to avoid
189 granular per-domain locks could be used to do that, but since domain start and
190 stop is expected to be a far less frequent operation than the other argo
191 operations, acquiring a single read lock to enable access to all the argo
199    * All of the unicast partner rings owned by other domains for this domain to
200 send to, are destroyed.
213 is free to safely modify the Argo state across all domains without having to
227 struct `argo_ring_info` belonging to this domain.
237 `W(L1_global_argo_rwlock)` is held, then `rings_L2_rwlock` does not need to be
244 * Any domain that is allowed to send to the ring -- so that's the partner
257 * The domain that has been allowed to send, as part of teardown when the domain
265 Protects: the per-domain list of pending notifications to the domain from
270 * The domain that issued a query to another about space availability in one of
273 * Any domain that the domain has issued a query to about space availability in
286 A common model for reasoning about concurrent code focusses on accesses to
293 An alternative method that is better suited to the Argo software is to consider
295 and locks released, from entering an operation, to the completion of the work.
302 If a function implements a section of the path, it is important to know not
307 communicate what the locking state is expected and intended to be when that
308 code is invoked. See the macros defined to support this for Argo later in this
312 ## Macros to Validate and Document Lock State
314 These macros encode the logic to verify that the locking has adhered to the
317 eg. On entry to logic that requires holding at least `R(rings_L2)`, this:
391 In the above example, it can be seen that it is safe to acquire the `L3` lock
399 Due to performance isolation / DoS avoidance: if there is a single per-domain
403 throughput due to the contention on the single per-domain lock. The granular
405 different rings by multiple VCPUs of the same domain without contention, to
412 The single global lock enables exclusive access to the argo data structures
416 gaining safe access to the data structures on each of the domains involved.
418 The 'send hashtable' data structure is needed in order to perform the teardown
425 locks and is used to obtain exclusive access to multiple domain's argo data
432 to obtain mutual exclusion and safe access to the state is required, without
436 multiple individual per-domain locks (and lower level data structure locks) to
437 prevent deadlock: taking W(L1) grants access to all and taking R(L1) ensures
445 - Provide assurance of connection source context to destination
447 transmission rings, to improve resistance to data read attacks on

Last Index update Sat Jun 03 09:59:21 CST 2023